Symantec: Mobile Malware Follows The Money

The malware threat in smartphones is only just beginning as criminals seek to find financial benefits

Despite the scams and poisoning of apps, criminals are finding it hard to steal money through Android but things may change, according to a Symantec report.

The Motivations of Recent Android Malware points out that smartphones are still in their early days but are being used increasingly for commerce and as this increases so will the threats. At the moment the potential returns are too small to attract the same kind of attention that is given to PC’s by cyber-criminals.

The Three Conditions

One of the authors of the report, Eric Chien, technical director of Security Technology and Response at Symantec, wrote that mobile malware needs three things to happen before the smartphone becomes a major target.

Two of these requirements are in place because we have an open and ubiquitous platform. Compared with Apple iOS devices, the operating environment is more open because applications are to a large degree unvetted and can be readily downloaded from a number of sites rather than the single iTunes App Store. Also, the number of Android phones in use has surpassed the number of Apple mobile devices, so there are more potential targets that may be exploited.

The third requirement is that there must be a reasonable financial return to make the time and effort involved in producing malware worthwhile. Like the PC world, the attack modes that would attract scammers are billing scams where the phones call premium rate numbers, spyware to collect personal data, search engine poisoning to lead the user to malware-infected sites, pay-per-click scams, pay-per-install schemes, adware, and stealing mobile transaction authentication numbers (mTANs) used by banks to validate access.

In many cases the problem is user awareness of the access permissions granted when installing an application. At the recent RSA Conference in London, Greg Day, EMEA CTO for Symantec, told eWEEK Europe that due regard needs to be paid to what is a reasonable request and what could be a potentially compromising demand.

DroidDream was a Trojan implanted in doctored versions of legitimate applications on the Android Market. Within hours of its discovery it was found on a couple of hundred thousand devices, he said.

“When you downloaded the app it asked you if it was OK to give it certain security permissions,” Day said. “The legitimate versions asked for things like Internet access to update the application and other fairly lightweight permissions relevant to the app. Then when we looked at the Trojanised version, it said it needed full access to SMS, to any storage card, and full access to the Internet.”

He pointed out that, as a security practitioner, such a set of requests would set alarm bells ringing because it is asking hime to “give away the entire keys to the city”. But his experience shows that the typical person using a smart device  just clicks ‘Next’ on every request to gain access to the app as quickly as possible because that is what they want to get to.

“I can go back 20 years in our industry and I remember talking to one of our senior researchers. We were having a discussion about prompting the user and he said, ‘Every time you ask the user a question, they’ll give you the wrong answer’. Twenty years later we’re still at the same starting point, relying on the user to understand whether these are the right security controls – to me it’s the wrong thing.”

New Threats On The Horizon

Day noted that there is a shift in the PC space which could be significant. Persistent threats are targeting organisations to reap larger gains. Two threats that he has seen recently involved information gathering to give competitive advantage – or at least parity.

The first targeted chemical companies to gain information on systems operations and formulas. These attacks could have been from competitors rather than the foreign government-sponsored attacks normally associated with persistent threats.

The second was the loss of a £500 million bid for clearing World War II mines because somebody hacked in to the network, got a copy of the tender and undercut it.

Day believes that these types of attack will soon move to the smartphone world as an entry point to the larger company network because in the next few years there will be ten times more people with a smart device for business than there are with a PC.

Monetisation Is The Main Aim

The Symantec report also pointed out that near-field communications (NFC) which allow the payment for goods using a mobile device could be a new vector. Quite how malware may take advantage of NFC-enabled devices remains to be seen, the study said. because the payment method is in its infancy and has yet to be exploited.

Another suggested example of “monetiseable” data theft is the stealing of identifiers such as the International Mobile Equipment Identity (IMEI) code – a unique number that identifies a particular device. To clone a mobile phone using data gathered from an app is not possible because an additional value must be obtained directly from the SIM card, IMEIs can be sold and reused on previously blocked phones, or counterfeit phones that may not have proper IMEIs. This is a weakness that could be used in future scams.

Many of the recent Android threats export IMEI codes but  it is only to identify the infected device and has not yet become a marketable property.

The third area that the report highlighted was a smartphone version of the PC scam where fake security products trick users into purchasing a “full version” of the software to remove non-existent threats. In China, the study revealed, a scheme was reported where phones were pre-installed with Fei Liu, a download manager application, which was said to have caused system reliability issues and unconfirmed reports of improper billing. These phones also had NetQin, a mobile security product, installed that would only remove Fei Liu if the user paid an additional $2 (£1.27).

The report concludes: “So while we will continue to see malicious Android applications, additional advances in the mobile technology space that allow greater monetisation are likely required before malicious Android applications reach parity with Windows.”